, 2002-10-09
Developers are accused of not publicizing the browser's security vulnerabilities enough. But do we really need world wide alerts for every bug?
Expand all |
Post comment
Cool a unix/lenix guy preaching the same stuff as M$crud
2002-10-09
Twinker (3 replies)
Twinker (3 replies)
Cool a unix/lenix guy preaching the same stuff as M$crud
2002-10-09
Rob John <rdrj@mindspring.com> (2 replies)
Rob John <rdrj@mindspring.com> (2 replies)
Mozilla's 'Code of Silence' Isn't
2002-10-10
Twinker (2 replies)
Twinker (2 replies)
Mozilla's 'Code of Silence' Isn't
2002-10-11
XandreX (1 replies)
XandreX (1 replies)
The problem, Jon, is twofold:
1) Who do we disclose to?
2) What measures do we take to keep the disclosures from being spread?
The first issue is, well, who is going to say that Serge can see the bug, but not Jon? Who appoints the gatekeepers?
A company with a special interest?
A project, which (as your article pointed out) also has an interest?
A third party like an OEM?
A large (and slow) organization?
Then we come to the question of by what means does the information stay hidden. An unspoken understanding? A handshake? An NDA? Threat of criminal action?
While I agree that we can sometimes do better by not disclosing a security vulnerability the minute we find one- your article didn't tackle the bigger, social and political issues that *not* disclosing them does.
- Serge Wroclawski
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/114/16815#16815